Red Hat JBoss RichFaces Expression Language Injection Arbitrary Java Code Execution Vulnerability [CVE-2018-12533]
CVE Number – CVE-2018-12533
A vulnerability in Red Hat JBoss RichFaces could allow an unauthenticated, remote attacker to inject arbitrary code on a targeted system.
The vulnerability exists because the affected software allows injection of arbitrary Expression Language (EL) expressions. An attacker could exploit this vulnerability by using the org.richfaces.renderkit.html.Paint2DResource$ImageData object (RF-14310) to pass malicious resource data to the targeted system. A successful exploit could allow the attacker to execute arbitrary Java code on the system.
Red Hat has confirmed the vulnerability and released software updates.
-
To exploit this vulnerability, the attacker must send malicious resource data to the targeted system, making exploitation more difficult in environments that restrict network access from untrusted sources.
-
Administrators are advised to apply the appropriate updates.
Administrators are advised to allow only trusted users to have network access.
Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.
Administrators are advised to monitor affected systems.
-
Red Hat has released an official CVE statement and security advisories for bug 1584490 at the following links: CVE-2018-12533, RHSA-2018:2663, RHSA-2018:2664, and RHSA-2018:2930
-
Red Hat has released updated software for registered subscribers via the Red Hat Subscription Management (RHSM) service. Red Hat packages can be updated on Red Hat Enterprise Linux versions 5 and later using the yum tool.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.